FriendsOfMDT
Intermediate certificate not loaded in correct store
I've copied the root and the intermediate certificate as .cer files into PSDRoot\PSDResources\Certificates folder. The certificates are imported to PE but both in the root store:
In the ca store nothting from me is imported:
So connection to https does not work.
Where are this certificates stored to pe image and how are they imported in windows OS? How can we deal with inters?
Thx
when generate the boot media the certificate is copied to to litetouchboot.wim and to the iso file/
what happens if you have the intermediate and root in the same cer file? with the intermediate being first. I put my local root and sub ca in the same file.
then only the first certificate (in my case the inter) is imported.. And to be clear, i need to have this certificates in winpe. Afterwards in windows I'm able to import this two certs into the correct store! I think we have to split inter and root certificates in separate folders, and import them with different commands during dism process for creating PE iso... But I don't know where i can do that.
you are correct it only looks at the first cert in the chain. you are looking for "function Import-PSDCertificate" in the code based. Maybe AI can write a drop in that looks for the PEM format and imports the chain correctly but still allows DER format that it currently does.
I added foders to "PSDResources\Certificates" called root and inter and put the related certificates there.
Then I changed code in PSDStart.ps1 in section "# Install PSDRoot certificate if exist in WinPE" like this:
Powershell
# Install PSDRoot certificate if exist in WinPE
Write-PSDLog -Message "$($MyInvocation.MyCommand.Name): Entering certificate block..."
$Certificates = @()
$CertificateLocations = "$($env:SYSTEMDRIVE)\Deploy\Certificates","$($env:SYSTEMDRIVE)\MININT\Certificates"
foreach ($CertificateLocation in $CertificateLocations) {
if (Test-Path -Path $CertificateLocation) {
Write-PSDLog -Message "$($MyInvocation.MyCommand.Name): Looking for certificates in $CertificateLocation"
# Check for ROOT certificates
$RootCertPath = Join-Path -Path $CertificateLocation -ChildPath "ROOT"
if (Test-Path -Path $RootCertPath) {
$RootCerts = Get-ChildItem -Path $RootCertPath -Filter *.cer
foreach ($Certificate in $RootCerts) {
Write-PSDLog -Message "$($MyInvocation.MyCommand.Name): Found $($Certificate.FullName), trying to add as root certificate"
$Return = Import-PSDCertificate -Path $Certificate.FullName -CertStoreScope "LocalMachine" -CertStoreName "Root"
if ($Return -eq "0") {
Write-PSDLog -Message "$($MyInvocation.MyCommand.Name): Successfully imported $($Certificate.FullName)"
} else {
Write-PSDLog -Message "$($MyInvocation.MyCommand.Name): Failed to import $($Certificate.FullName)"
}
}
}
# Check for Intermediate certificates
$InterCertPath = Join-Path -Path $CertificateLocation -ChildPath "INTER"
if (Test-Path -Path $InterCertPath) {
$InterCerts = Get-ChildItem -Path $InterCertPath -Filter *.cer
foreach ($Certificate in $InterCerts) {
Write-PSDLog -Message "$($MyInvocation.MyCommand.Name): Found $($Certificate.FullName), trying to add as intermediate certificate"
$Return = Import-PSDCertificate -Path $Certificate.FullName -CertStoreScope "LocalMachine" -CertStoreName "CA"
if ($Return -eq "0") {
Write-PSDLog -Message "$($MyInvocation.MyCommand.Name): Successfully imported $($Certificate.FullName)"
} else {
Write-PSDLog -Message "$($MyInvocation.MyCommand.Name): Failed to import $($Certificate.FullName)"
}
}
}
}
}
Does anyone have a better idea?